1. Introduction to Practical Cryptography
Hash Functions

2. Agenda Hash Functions Properties Uses General Design
Examples: MD4, MD5, SHA-0, SHA-1, SHA-256
Collision Attacks – General Method
SHA3 competition

3. Hash Properties
Map bit strings of arbitrary length to fixed-length outputs
h = hash(m), h is fixed-length, short
Not injective, but collisions unlikely
Example: 2160 possible values
Computationally infeasible to generate collisions
Computationally infeasible to invert

4. Hash Properties
Preimage resistant: given h, hard to find m such that h = hash(m)
Second preimage resistant: given m1, hard to find m2 (≠ m1) such that hash(m1) = hash(m2)
Collision-resistant: hard to find m1 and m2, m2 ≠ m1, such that hash(m1) = hash(m2)

5. In Practice Heuristics Simple operations, performance:
Iterative, series of rounds
Diffusion through logical operations, addition, shifts, rotates

6. Uses Data integrity: Shorten data for signing Data Structures:
Error detection
Attacker can still modify file and recompute hash
Forgery, modification - MAC
Shorten data for signing
Data Structures:
Hash list
Hash (Merkle) Tree
Hash Table

7. Hash - Uses Integrity – Error Detection
Hash file/message
Attacker can still modify file and recompute hash
Integrity – prevent forgery, modification
MAC (keyed hash)
Authentication
Signature: hash data to shorten (for efficiency) then encrypt with public key algorithm
Append shared secret to unencrypted data then hash
Random bits
Data Structures:
Hash list
Hash (Merkle) Tree
Hash Table

8. MAC Message Authentication Code – keyed hash Examples:
Encrypt hash with symmetric key cipher
HMAC H(H(K  c1) || H((K  c2) || m))

9. CBC-MAC (tag) Need to be careful in designing a MAC:
Without knowing the key k, can ask to calculate the CBC-MAC tag of any message
Produce a MAC for a new message:
use two message-tag pairs (m,t) and (m',t’),
m and m' : single blocks (can be random)
(m || (t  m’), t’) : valid message-tag pair
CBC-MAC of m || (t  m’) is t’ (see next slide)

10. CBC-MAC two message-tag pairs (m,t) and (m',t’),
m and m' : single blocks (can be random)
CBC-MAC of m || (t  m’) is also t’
when computing CBC, result from m is t (“ciphertext” from block cipher)
then continuing CBC mode:
t is XORed with t  m’
t  m’  t = m’ and the result is the next input to the block cipher
thus the output is t’
therefore, (m || t  m’, t’) is a valid message-tag pair

11. MAC MAC: H(Key | message) Append attack
With most current hashes that “chain” blocks can get a valid MAC for H(Key | message | message’)
Put the secret at the end of the message
Don’t use all the output bits as the MAC

12. HMAC H( (key  const1) || H( ((key || 0..0)  const2) || data) )
Append 0’s to key until have 512 bits
XOR with constant and prepend to data
Hash
XOR key with different constant and prepend to result
Hash again
H( (key  const1) || H( ((key || 0..0)  const2) || data) )
If H is secure, so is HMAC:
Collision resistant
If given HMAC(key,x), can’t compute HMAC(key,y) without knowing key

13. Generating “Random” Bits
Hash together information containing some randomness
Copy of every keystroke, mouse event
Time between keystrokes
Disk seek latency, sector number, etc.
Contents of the display
Audio input
Packet inter-arrival latency, CPU load
Hash all this information together
Allows generation of pseudo-random data

14. Challenge-Response without Encryption
Alice Bob
Ra >
< H(K | Ra), Rb
H(K | Rb) >
H is a hash function
K is a shared secret
Ra,Rb are random values

15. Storing Passwords Idea: hash password and store result
When user enters password, hash and compare with stored value

16. Password Storing Old Unix password algorithm:
Store hash of user password
Hash typed password, compare with stored hash
First 8 bytes of password are the secret key
Then encrypt all-zeroes block with DES-like algorithm
Salt: 12-bit random number, (used in modified DES)
Salt stored with hashed result
Later versions used MD5, Blowfish

17. Hash List
h21
h11
h12
h13
h14
h15
h16
h17
h18 m1 m2 m3 m4 m5 m6 m7 m8

18. Hash Tree h41 h31 h32 h21 h22 h23 h24 h11 h12 h13 h14 h15 h16 h17 h18m1 m2 m3 m4 m5 m6 m7 m8

19. General Structure
Message m padded to M, a multiple of a fixed-length block
M is divided into segments m1,m2, … mn m1 m2
… … mn IV F F F
hash value …
Merkle-Damgard, 1989
F is called the compression function
Takes inputs mi and output of previous iteration
Typically a series of rounds
Output called a “chaining variable”
Typically, a function operates on chaining variables then adds to mi

20. General Structure Padding “100…0”
MD4, MD5: last 64 bits depend on first block
SHA*: last bits depend on length of message

21. General Structure … … F F F …m1 m2
… … mn IV F F F
hash value …
Avalanche: All output bits depend on all input bits
Diffusion: ideally want change to one input bit to change each
output bit with prob. ½

22. MD4 Rivest, RFC 1320 Fast in software Simple to program
Memory efficient - no large data structures

23. MD4 Notation
word = 32 bits
Message m
XY = X AND Y
X v Y = X OR Y

24. MD4
m’ = m100 … 0
Pad m until it is 64 bits short of a multiple of 512
Message is always padded (i.e. even 448 bits are padded)
Append a 1 followed by 0’s :
M[0 ... N-1] = m’ with low order 64 bits of m appended to it
N is a multiple of 16
Four-word buffer (A,B,C,D) initialize to: A:
B: 89 ab cd ef
C: fe dc ba 98 D:
just counts 0 to 15 and back

25. MD4 – Internal Functions
F(X,Y,Z) = XY v not(X) Z
Bitwise conditional: if X then Y else Z.
G(X,Y,Z) = XY v XZ v YZ
Bitwise majority function: bit positions in which 2 or more bits are 1, output has a 1, else output has a 0
H(X,Y,Z) = X  Y  Z
Bit positions with odd number of 1’s are 1, rest are 0
Note: if bits of X, Y, and Z are independent and unbiased, each bit of F(X,Y,Z) and each bit of G(X,Y,Z) also will be independent and unbiased.

26. MD4 for (i = 0 to N/16-1) { } /* end for i */ Output A,B,C,D
/* Copy block i into X. */
For (j = 0 to 15) { X[j] = M[i*16+j] }
/* Save A, B, C,D */
AA = A BB = B CC = C DD = D
/* Combine Message blocks with A,B,C,D */
Round 1
Round 2
Round 3
Increment A,B,C,D by their values (AA,BB,CC,DD) at start of iteration
} /* end for i */
Output A,B,C,D
compression function
A,B,C,D is chaining variable

27. MD4 Round 1
Function operates on chaining variable,
adds in message block
/* [abcd k s] denotes a = (a + F(b,c,d) + X[k]) <<< s. */
/* 16 operations. */
[ABCD 0 3]; [DABC 1 7]; [CDAB 2 11] ; [BCDA 3 19];
[ABCD 4 3]; [DABC 5 7] ; [CDAB 6 11]; [BCDA 7 19];
[ABCD 8 3]; [DABC 9 7]; [CDAB 10 11]; [BCDA 11 19]
[ABCD 12 3]; [DABC 13 7]; [CDAB 14 11]; [BCDA 15 19];
Note: each word rotates through each of the four positions for each value of s
X[k] (M) combined with A,B,C,D
Words sequential in round 1 (i.e. k = 1,2,3,…. 15 in order)

28. MD4 Round 2 /* [abcd k s] denotes
a = (a + G(b,c,d) + X[k] + 0x5A827999) <<< s. */
/* 16 operations. */
[ABCD 0 3]; [DABC 4 5]; [CDAB 8 9]; [BCDA 12 13];
[ABCD 1 3]; [DABC 5 5]; [CDAB 9 9]; [BCDA 13 13];
[ABCD 2 3]; [DABC 6 5]; [CDAB 10 9]; [BCDA 14 13];
[ABCD 3 3]; [DABC 7 5]; [CDAB 11 9]; [BCDA 15 13];
Word ordering altered from round 1

29. MD4 Round 3 /* Let [abcd k s] denotes
a = (a + H(b,c,d) + X[k] + 0x6ED9EBA1) <<< s. */
/* 16 operations. */
[ABCD 0 3]; [DABC 8 9]; [CDAB 4 11]; [BCDA 12 15]
[ABCD 2 3]; [DABC 10 9]; [CDAB 6 11]; [BCDA 14 15]
[ABCD 1 3]; [DABC 9 9]; [CDAB 5 11]; [BCDA 13 15];
[ABCD 3 3]; [DABC 11 9]; [CDAB 7 11]; [BCDA 15 15]
Word ordering partially altered from round 2

30. MD4 – End of Loop Addition
/* increment each of A,B,C,D by the value it had before this block was started. */
A = A + AA
B = B + BB
C = C + CC
D = D + DD

31. MD4 Constants
5A827999: 32-bit constant, represents the square root of 2. The octal value is
6ED9EBA1: 32-bit constant, represents the square root of 3. The octal value is

32. MD5 Designed to replace MD4 RFC 1321, Rivest for (i = 0 to N/16-1) {
First two and last two rounds of MD4 attacked
RFC 1321, Rivest
for (i = 0 to N/16-1) {
/* Copy block i into X */
For (j = 0 to 15) { X[j] = M[i*16+j] }
/* Save A, B, C,D */
AA = A BB = B CC = C DD = D
/* Combine Message blocks with A,B,C,D */
Round 1
Round 2
Round 3
Round 4
Increment A,B,C,D by value at start of iteration
} /* end for i */
Output A,B,C,D

33. MD5 Changes to MD4 Fourth round added
Each step now has a unique additive constant
The function G changed from (XY v XZ v YZ) to (XZ v Y not(Z)) (less symmetric)
The order in which input words are accessed in rounds 2 and 3 is changed, to make these less like similar to each other.
The shift amounts in each round have been changed to produce a faster avalanche effect. The shifts in different rounds are distinct.

34. MD5 Internal Functions F(X,Y,Z) = XY v not(X) Z
G(X,Y,Z) = XZ v Y not(Z)
H(X,Y,Z) = X  Y  Z
I(X,Y,Z) = Y  (X v not(Z))

35. MD5
Uses a 64-element table T[ ] constructed from the sine function
T[i] equals the integer part of
times abs(sin(i)), where i is in radians

36. MD5 Round 1 /* [abcd k s i] denotes
a = b + ((a + F(b,c,d) + X[k] + T[i]) <<< s). */
/* 16 operations. */
[ABCD 0 7 1] [DABC ] [CDAB ] [BCDA ]
[ABCD 4 7 5] [DABC ] [CDAB ] [BCDA ]
[ABCD 8 7 9] [DABC ] [CDAB ] [BCDA ]
[ABCD ] [DABC ] [CDAB ] [BCDA ]
Constant added, varies

37. MD5 Round 2 /* [abcd k s i] denotes
a = b + ((a + G(b,c,d) + X[k] + T[i]) <<< s). */
/*16 operations. */
[ABCD ] [DABC ] [CDAB ] [BCDA ]
[ABCD ] [DABC ] [CDAB ] [BCDA ]
[ABCD ] [DABC ] [CDAB ] [BCDA ]
[ABCD ] [DABC ] [CDAB ] [BCDA ]
not reusing shift amounts across rounds

38. MD5 Round 3 /* Let [abcd k s t] denotes
a = b + ((a + H(b,c,d) + X[k] + T[i]) <<< s). */
/* Do the following 16 operations. */
[ABCD ] [DABC ] [CDAB ] [BCDA ]
[ABCD ] [DABC ] [CDAB ] [BCDA ]
[ABCD ] [DABC ] [CDAB ] [BCDA ]
[ABCD ] [DABC ] [CDAB ] [BCDA ]
Word ordering altered from round 2 to greater extent than in MD4

39. MD5 Round 4 /* [abcd k s t] denotes
a = b + ((a + I(b,c,d) + X[k] + T[i]) <<< s). */
/* 16 operations. */
[ABCD ] [DABC ] [CDAB ]
[BCDA ] [ABCD ] [DABC ]
[CDAB ] [BCDA ] [ABCD ]
[DABC ] [CDAB ] [BCDA ]
[ABCD ] [DABC ] [CDAB ] [BCDA ]
One more round than MD4

40. MD5 Addition
A = A + AA
B = B + BB
C = C + CC
D = D + DD
Same as MD4

41. RIPEMD, Haval RIPEMD - modified MD4 Haval – modified MD5
Rotation changed
Order of message words altered
Two instances run in parallel with different constants; at end of each block, output of each added to chaining variables
Haval – modified MD5
Processes 1024-bit message blocks instead of 512
Internal functions take 7 variables, nonlinear
Permutes input to round
Chaining variable: 8 segments instead of 4
Different constants

42. SHA-0 Input m  264 bits Output 160 bits
Padded, processed in 512-bit blocks
Each iteration takes 160-bit chaining variable and 512-bit block, outputs 160-bit chaining value
First chaining value is a fixed constant (IV)
Last chaining value is the output

43. SHA-0 Pad m to multiples of 512 bits N 512-bit blocks
Append 1, 0’s, length of m
N 512-bit blocks
For (j=0 to N-1) {
512-bit block divided into 32-bit segments: m0,m1, … m16
Expand to bit segments:
for i = 16 to 79: mi = mi-3  mi-8  mi-14  mi-16
80 32-bit words processed by round function }

44. SHA-0 Round a,b,c,d,e are the chaining variable ki is a round constant
function operating on chaining variables
Rotating segments
of chaining variable
a,b,c,d,e are the chaining variable
ki is a round constant
Function f varies per round – on next slide

45. SHA-0 Round Function

46. SHS NIST FIPS 180-2, Secure Hash Standard (SHS) 2002
SHA-1: message < 264 bits, 160-bit output
SHA-256: message < 264 bits, 256-bit output
SHA-384: message < 2128 bits, 384-bit output
SHA-512: message < 2128 bits, 512-bit output

47. SHA-1 and SHA-256 Padding Message M of l bits
Pad to a multiple of 512 bits
Append a 1
Append k 0’s where l k = 448 mod 512
Append 64 bits equal to the binary representation of l

48. SHA-1 and SHA-256 Processing
N 512-bit blocks
Block denoted by M(i)
32-bit segment of block denoted by Mj(i)
i = ith block
j = jth 32-bit segment of ith block, j = 0,1… 16

49. SHA-1
Internal functions, each operating on three 32-bit words

50. SHA-1
Constants used in the rounds:

51. SHA-1 Initialization of array containing the hash value
Five 32-bit words

52. SHA-1 Algorithm Pad the message M Break into N 512-bit blocks
Initialize H
for i = 1 to N {
Populate W with block i and rotate
Initialize intermediate variables a,b,c,d,e
80 rounds
Update H }
Output H

53. SHA-1
for i = 1 to N:
Change from SHA-0, rotate 1 bit

54. SHA-1
Operating on chaining variable then adding in message block

55. SHA-1
Update chaining variable
end of for i loop
Output :

56. SHA-256 Pad the message M Break into N 512-bit blocks Initialize H
for i = 1 to N {
Populate W with block i and rotate
Initialize intermediate variables a,b,c,d,e,f,g,h
64 rounds
Update H }
Output H

57. SHA-256
logical functions, inputs are 32-bit words
Change from SHA1

58. SHA-256
Constants used in the rounds: bit constants K0, K1 .. K63
Change from SHA1

59. SHA-256
Initialization of chaining variable
Eight 32-bit words

60. SHA-256
for i = 1 to N:
Change from SHA1

61. SHA-256
Operating on chaining variable then adding in message block
Change from SHA1

62. SHA-256
Update chaining variable
end of for i loop
Output :

63. Collisions - Uses Generate meaningful files with the same hash
Example: Code download – replace code, hash file remains unchanged

64. Birthday Paradox  23 people in a room
probability 2 have same birthday is  50%
In general:
Given “random” mapping H(xi) = yi
n inputs, k possible outputs
n(n-1)/2 possible input pairs
probability H(xi) = H(xj) is 1/k
Approximation:
need k/2 pairs for 50% probability so want n > (k) ½ (for match)
Hash functions: want low probability of a match
Larger k is, the more inputs an attacker must try

65. Collisions - Uses Generate certificates with same hash
X.509 certificate:
Name, usage, extension…
RSA public key: (n, e)
Signature of CA
Attack
Two certificates identical except for RSA modulus: n1, n2 n1 ≠n2
MD5(n1) = MD5(n2)
Lenstra, Wang, Weger, Colliding X.509 Certificates, eprint March 2005
Certificates available at
The CA certificate is self-signed
MD5 hashes are not identical when include 4 byte ASN.1 header
*certificate image from Yin, ACNS 2005

66. Collisions Differentials
Recall differential cryptanalysis from block ciphers
Look at  of inputs,  of outputs after each round
In block ciphers, 1 to1 mapping,
Never have in ≠ 0  out = 0
In hash functions, round output shorter than input
There exists in ≠ 0  out = 0
Need to find these ‘s

67. Collisions - Differentials
m ≠ 0 for two inputs can produce =0 in an intermediate value of the hash
MD4, MD5, SHA* … are of the form:
M = [m0,m1, … mn]
For (i=0 to n) {
Process mi, produce Hi (the chaining variable)
Process mi+1, combine with Hi to get Hi+1 … }
Furthermore, mi is only added into chaining variables

68. Collisions Differentials
M = [m0,m1, … mn]
M’ = [m’0,m’1, … m’n]
Find m0, m’0 that produce same chaining variable,
Set mi = m’i for remaining blocks
In MD4, MD5 – issue of padding includes bits from unpadded message
In SHA* - length is append

69. Collisions - Differentials
Processing block M in blocks
M = [m0,m1, … mn]
M’ = [m’0,m’1, … m’n]
Find messages that produce x through block i with high probability
Set jth block of messages to cancel x
Remaining blocks of both messages can be =

70. Existing Hashes: General Structure
Message m padded to M, a multiple of a fixed-length block
M is divided into segments m1,m2, … mn m1 m2
… … mn IV F F F
hash value …
F is called the compression function
Takes inputs mi and output of previous iteration
Typically a series of rounds
Output called a “chaining variable”

71. Collisions
Find M1 ≠ M2 that produce x through block i with high probability
Set subsequent blocks of m1, m2 to cancel x
Remaining blocks of m1, m2 can be =
m11
m1i
m1i+1
m1i+2
m1n
x1i+1
= Z IV
x1i F F F F F H
m21
m2i
m2i+1
m1i+2
m1n
x2i+1
= Z IV
x2i F F F F F H
x1i  x2i = x
x1i+1 = x2i+1

72. Workload of Known Attacks (2005)
Hash function
Expected strength
Known attacks
MD4
264
O(3)
MD5
O(230+)
SHA-0
280
O(239)
SHA-1
O(263)

73. Collisions Wang, Feng, Lai, Yu, 2004
Collisions for MD4, MD5, Haval-256, RIPEMD
Message Modification
Find differential path that produces possible collision
Identify conditions for path to hold
Modify message words to follow path in first round (and second round as much as possible)
Setting messages in this manner increases chance collision holds

74. MD4 Collisions
M’ = M + C
C = (0,231, ,0,0,0,0,0,0,0,0,0,-216,0,0,0)
MD4(M) = MD4(M’)
mi for i = 1,2,12 differ between M and M’

75. MD4 Collision Example m0[16] = {
0xa8b1b641, 0x88d2ecaf, 0xb7d7c1a1, 0x ,
0xffef1639, 0x1934bdcf, 0x30e2adb8, 0x252ac4b4,
0x7bad86a5, 0x7883f30e, 0x8b37f23b, 0xd694dce0,
0x701d8b69, 0x045095eb, 0x92012e03, 0x71ed419e }
m1[16] = {
0xa8b1b641, 0x08d2ecaf, 0x27d7c1a1, 0x ,
0x701c8b69, 0x045095eb, 0x92012e03, 0x71ed419e

76. MD5 – Prior Collisions
Bert den Boer and Bosselaers: pseudo-collision for MD5 - same message with different IVs
Dobbertin: two different 512-bit messages with a chosen initial value different from that in MD5

77. MD5 Collisions M,N each 512 bits N,N’ cancels differential from M,M’
Uses initial IV of MD5
Two 1024-bit messages
~ 1 hour to find M’s, 5-15 minutes to find N’s

78. SHA-0 Collisions 2004 Joux pair of 2048 bit inputs
80K CPU hours (3 weeks)
Work equivalent of 251 hashes
Local differentials of 6 steps

79. SHA-0 Collisions Wang, Yu, Yin 2005
Full collision in equivalent work of 239 hashes
Impossible differential in rounds 2-4
Local collisions in round 1
Conditions that this differential path holds

80. SHA-0 Local Collisions Wang 1997 Let mi,j = ith message word, jth bit
6 step local collision that can start at any step i
used to construct full collisions
If a message difference in bit j first occurs in step i
Difference will affect chaining variables a,b,c,d,e consecutively in the next five steps
To offset these differences and reach a local collision, differences introduced in subsequent message words
Probability associated with the local collision depends on the boolean function, j, and conditions on the message bits
One attack:
j = 2
Conditions mi,2 = ⌐mi+1,7 and mi,2 = ⌐mi+2,2

81. SHA-0 Local Collision
nc = no carry

82. SHA-0 Collisions Biham and Chen 2004
started at i > 17
start at i = 22, work O(256) hashes
near collisions with work O(240) hashes
Biham and Chen (2004), Joux (2004), Wang and Yu (2005)
Multi-block collisions
Use near collisions in several blocks to produce overall collision
Used with above, Joux had first full collision, work O(251) hashes

83. SHA-1 Collisions
Rijmen and Oswald 2005: collisions for 53 reduced-round version
Wang, Yin, Yu 2005: Collisions without padding on full 80 rounds, work  O(269) hashes
Wang, Yao, Yao 2005: Improved above attack to work  O(263) hashes
Rechberger and De Cannière 2006: way to choose part of the message

84. SHA-256
Round function has local collision with probability in the range 2-9 to 2-39
Message expansion is more complicated than SHA-0, SHA-1
Expansion block from 16 to 64 words

85. Colliding Certificates
Fill in all fields except for
RSA public key modulus, n
signature (except for first zero byte - to prevent bit string from being a negative integer)
Three requirements:
compliant to X.509 and the ASN.1 DER
byte lengths of modulus, n, and public exponent, e, fixed in advance
Can fix e as “Fermat-4” number e = Same e used in both certificates.
position where public key modulus starts is an exact multiple of 64 bytes after the beginning of the “to be signed” part – do by adding dummy information to the subject Distinguished Name. i.e. want part prior to n to be an integral number of message blocks to which the message blocks containing n are appended when computing the MD5 hash
Run MD5 on the first portion of the “to be signed” part, truncated at the position where n starts This input to MD5 is an exact multiple of 512 bits. Suppress the padding normally used in MD5, use output as IV to for the next step. i.e. this would be the chaining variable input to the iteration in which n starts to be processed
Construct two different 1024 bit strings b1 and b2 for which the MD5 compression function with the IV from the previous step produces a collision

86. Colliding Certificates
Construct two RSA moduli from b1 and b2 by appending to each the same 1024-bit string b
Generate random primes p1 and p2 of ~512 bits, such that e is coprimeto p1 − 1 and p2 − 1
Compute b0 between 0 and p1p2 such that p1|b b0 and p2|b b0
For k = 0, 1, 2, . . .,
compute b = b0 + kp1p2;
Check if both q1 = (b b)/p1 and q2 = (b b)/p2 are primes
Check if e is coprime to both q1 − 1 and q2 − 1
If k is such that b  , restart with new random primes p1, p2
Stop when q1 and q2 have been found; output
n1 = b b
n2 = b b
p1, p2, q1, q2
Expect that this algorithm will produce in a reasonable time, two RSA moduli n1 = p1q1 and n2 = p2q2, that will form an MD5-collision with the specified IV
p1 and p2 are around 500 bits in size, usually takes a few minutes
few days when 512 bit p1, p2 and 1536 bit q1, q2 (search space for k nearly empty)

87. Colliding Certificates
Insert the modulus n1 into the certificate - “to be signed” part is complete
Compute the MD5 hash of the entire “to be signed” part (including MD5-padding, standard MD5-IV)
Apply PKCS#1v1.5-padding3, and perform a modular exponentiation using the issuing Certification Authority’s private key.
This gives the signature, which is added to the certificate.
First certificate now is complete.
Second certificate – use n2 as the public key modulus and signature still valid

88. NIST Hash Workshop Proposed competition – SHA3
Call for proposals – Nov. 2007
Allow time for public comments on hash function requirements
Review submissions starting in 2009
Select winner end of 2011
Standard released in 2012
Then time to integrate into applications
6+ years before standard replacement

89. SHA3 Requirements NIST does not currently plan to withdraw SHA-2
SHA-3 can be directly substituted for SHA-2 in current applications
must provide message digests of 224, 256, 384 and 512-bits to allow substitution for the SHA-2 family
160-bit hash value produced by SHA-1 is becoming too small to use for digital signatures
a 160-bit replacement hash algorithm is not contemplated.

90. SHA3 Requirements
Certain properties of the SHA-2 hash functions must be preserved
input parameters, output sizes
collision resistance, preimage resistance, second-preimage resistance
“one-pass” streaming mode of execution
successful attack on the SHA-2 hash functions is unlikely to be applicable to SHA-3.
be suitably flexible for a wide variety of implementations,
May offer additional properties
randomized hashing
parallelizable
more efficient to implement on some platforms
more suitable for certain applications
may avoid some of the incidental “generic” properties (such as length extension) of the Merkle-Damgard construct that often result in insecure applications
For interoperability, prefer a single hash algorithm family (different size message digests be internally generated in as similar a manner as possible)

91. Approaches Augment existing hash functions:
Add bit count to input – part of chaining value
Padding: 1, 0’s, hash size, message length
New algorithms, with approach similar to past hashes – chaining
New approaches that avoid Merkle-Damgard chaining
Algorithm related to mathematically hard problems

92. Alternatives CMC mode Binary tree Forward and backward diffusion
Use last block
Inefficient – memory requirements
> double computational work
Binary tree
Block cipher, PRP construct as nodes
double computational work m1 m2 m3 m4 T X1 X4 M M M M T
hash m1 m2 m3 m4
hash

93. Alternatives Hybrid CMC mode or chaining on segments
Subset of output forms next layer
m blocks
m blocks
m blocks
m blocks
m blocks
m blocks
m blocks
m blocks
m blocks

94. Segment Processing CMC mode:
forward and backward diffusion across blocks
collision implies weakness in block cipher m1 m2 m3 m4 T X1 X4 M M M M T
segment output

95. Segment Processing … … … … Elastic Chaining mode:IV
128
128
128
input …
128
128
128
128
128
128 … …
128
128
128
128
128
128
segment output
128
Elastic Chaining mode:
Only forward diffusion
… but less memory/intermediate state than CMC mode
If key is based on first block, collision implies weakness in block cipher
Use elastic version of 128-bit cipher or a 256-bit cipher

96. Segment Processing
Don’t use existing forward chaining in segment – differential attack applies to segment
m11
m12
m13
m14
m1l
x13
= Z IV
x12
segment output F F F F F
m21
m22
m23
m24
m2l
x23
= Z IV
x22
segment output F F F F F
x12  x22 = x